Zhipu AI TTS
Analysis
This is a straightforward Zhipu text-to-speech wrapper that uses a declared API key, sends the requested text to Zhipu, and writes an audio file locally.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
OUTPUT_FILE="${5:-output.${OUTPUT_FORMAT}}" ... --output "$OUTPUT_FILE" ... rm "$OUTPUT_FILE"The script writes the API response to a caller-supplied output path and removes that path on HTTP error. This is normal for generating an audio file, but an unsafe filename could overwrite or remove a file the user did not intend to replace.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
if [ -z "$ZHIPU_API_KEY" ]; then ... -H "Authorization: Bearer $ZHIPU_API_KEY"
The script requires a Zhipu API key and uses it as a bearer token for the provider request. This is expected for the stated service, but it grants access to the user's Zhipu account quota or billing.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
API_ENDPOINT="https://open.bigmodel.cn/api/paas/v4/audio/speech" ... --arg input "$TEXT" ... -d "$PAYLOAD"
The supplied text is packaged into a request and sent to Zhipu's external speech API. This is core to the TTS purpose, but it means input text leaves the local environment.